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DETAILED ACTION 
Information Disclosure Statement 
The Information Disclosure Statement filed in the Provisional Application 60/523427, 
from which this application claims priority, has not been considered due to the fact that 
Information Disclosure Statements are not to be filed in provisional applications. In order for 
these documents to be considered Applicants must file the IDS and furnish appropriate 
references (i.e. any cited NPL and Foreign Patents). See 37 CFR 1.51(d). 

Claim Rejections - 35 USC § 112 
The following is a quotation of the second paragraph of 35 U.S. C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

Claims 29-33, 66-70, 78-82, 88-91, and 94 rejected under 35 U.S.C. 1 12, second 
paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject 
matter which applicant regards as the invention. 
As per claims 29, 32-33, 66-67, 69-70, 78, 80-82, and 90: 

The term "configurable" in the listed claims is a relative term which renders the claim 
indefinite. The term "configurable" is not defined by the claim, the specification does not 
provide a standard for ascertaining the requisite degree, and one of ordinary skill in the art would 
not be reasonably apprised of the scope of the invention. 
As per claims 79 and 80: 

The term "trusted. . .range" in the listed claims is a relative term which renders the claim 
indefinite. The term "trusted" is not defined by the claim, the specification does not provide a 
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standard for ascertaining the requisite degree, and one of ordinary skill in the art would not be 
reasonably apprised of the scope of the invention. 
As per claim 8 1 : 

Claim 81 recites the limitation "the trusted EP range" in lines 4 and 6. There is 
insufficient antecedent basis for this limitation in the claim as only a "trusted address range" has 
been previously defined. In order to treat this claim on its merits, Examiner presumes that 
Applicants intended to refer to the "trusted address range" that has been previously defined in the 
parent claim. 

As per claims 3 1, 68, 89, and 94: 

These claims are rejected by virtue of their dependency. 



Claim Rejections - 35 USC § 101 

I. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

II. Claims 38-74 are rejected under 35 U.S.C. 101 because the claimed invention is directed 
to non-statutory subject matter, as they do not fall under any of the statutory classes of 
inventions. The language in the claims raise an issue because the claims are directed merely to 
an abstract idea that is not tied to an article of manufacture which would result in a practical 
application producing a concrete, useful, and tangible result to form the basis of statutory subject 
matter under 35 U.S.C. 101. 
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Claim Rejections - 35 USC §102 

III. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by another filed 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351 (a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 21(2) of such treaty in the English language. 

IV. Claims 1-8, 38-45, 1 1-28, 30-31, 35, 48-65, 67-68, and 72 are rejected under 35 
U.S.C. 102(e) as being fully anticipated by Olkin et al., US Pub. No., 2003/0046533. 
As per claims 1 and 38: 

Olkin et al. teach a method/computer program product on a computer readable medium, 
comprising the steps of: identifying entities legitimately entitled to service (par. 45); establishing 
said identified entities as trusted entities (par. 45); processing requests from said trusted entities 
according to a first policy (par. 45 and par. 46, lines 1-4); and processing remaining requests 
according to at least a second policy (par. 46, lines 4-9). 
As per claims 2 and 39: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 1 and 38. Furthermore, Olkin et al. teach wherein an entity comprises a user ID/client 
pair (par. 79). 
As per claims 3 and 40: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 2 and 39. Furthermore, Olkin et al. teach wherein said client comprises any of: an 
instance of a client software application; and a machine running a client software application 
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(par. 46). 

As per claims 4 and 41: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 2 and 40. Furthermore, Olkin et al. teach wherein entities legitimately entitled to 
service comprise entities previously able to successfully authenticate to a network service (par. 
46). 

As per claims 5 and 42: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 4 and 41. Furthermore, Olkin et al. teach wherein said network service comprises a 
server (par. 110). 
As per claims 6 and 43 : 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 4 and 41. Furthermore, Olkin et al. teach wherein establishing said identified entities 
as trusted entities comprises the step of: issuing a trust token for each entity successfully 
authenticating to said network service (par. 79). 
As per claims 7 and 44: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 6 and 43. Furthermore, Olkin et al. teach wherein said trust token comprises a data 
object (par. 49). 
As per claims 8 and 45: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 7 and 44. Furthermore, Olkin et al. teach said data object including: said user ID or a 
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derivative thereof (par. 49). 
As per claims 1 1 and 48: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 8 and 47. Furthermore, Olkin et al. teach said data object including a client identifier 
(par. 75). 

As per claims 12 and 49: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 1 1 and 48. Furthermore, Olkin et al. teach said client identifier comprising any of: a 
client identifier assigned by said network service; and a client identifier provided by the client 
(par. 75). 

As per claims 13 and 50: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 7 and 45. Furthermore, Olkin et al. teach further comprising a step of encrypting said 
trust token (par. 74). 
As per claims 14 and 5 1 : 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claim 13 and 50. Furthermore, Olkin et al. teach further comprising the step of: transmitting 
said trust token from said network service to said client upon successful authentication to said 
network service by said entity (par. 1 15). 
As per claims 15 and 52: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 14 and 51. Furthermore, Olkin et al. teach wherein said step of transmitting said trust 
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token occurs via a secure channel (par. 1 16). 
As per claims 16 and 53: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 15 and 52. Furthermore, Olkin et al. teach wherein said secure channel comprises a 
network connection secured via the SSL (secure sockets layer) protocol (par. 116). 
As per claims 17 and 54: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 7 and 49. Furthermore, Olkin et al. teach further comprising the step of: storing said 
issued trust token on said client (par. 95). 
As per claims 18 and 55: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 17 and 54. Furthermore, Olkin et al. teach further comprising the step of: transmitting 
said stored issued trust token along with said user ID, authentication credentials, and client 
identifier from said client to said network service (par. 76). 
As per claims 19 and 56: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 18 and 55. Furthermore, Olkin et al. teach wherein said step of transmitting said 
stored, issued trust token occurs via a secured channel (par. 85). 
As per claims 20 and 57: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 19 and 56. Furthermore, Olkin et al. teach wherein said secured channel comprises a 
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network connection secured via the SSL (secure sockets layer) protocol (par. 85-86). 
As per claims 21 and 58: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 12 and 50. Furthermore, Olkin et al. teach further comprising a step of storing said 
issued trust token in a server side database, indexed according to a combination of user ED and 
client identifier (par. 74-75). 
As per claims 22 and 59: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 21 and 58. Furthermore, Olkin et al. teach further comprising the step of: transmitting 
said client identifier assigned by said network service from said network service to said client 
upon successful authentication to said network service by said entity (par. 103-109). 
As per claims 23 and 60: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 22 and 59. Furthermore, Olkin et al. teach wherein said step of transmitting said client 
identifier assigned by said network service occurs via a secure channel (par. 103). 
As per claims 24 and 61 : 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 22 and 59. Furthermore, Olkin et al. teach said secure channel comprising a network 
connection secured via the SSL (secure sockets layer) protocol (par. 103). 
As per claims 25 and 62: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 21 and 58. Furthermore, Olkin et al. teach further comprising the steps of: transmitting 
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said user ID and client identifier to said server; and retrieving said stored trust token from said 

database (par. 1 14). 

As per claims 26 and 63 : 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 21 and 58. Furthermore, Olkin et al. teach wherein said server side database serves a 
plurality of services (par. 43). 
As per claims 27 and 64: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 2 and 40. Furthermore, Olkin et al. teach wherein processing requests from said 
trusted entities according to a first policy comprises the steps of: validating said trust token (par. 
1 12); and processing request without adding incremental response latency (par. 1 14). 
As per claims 28 and 65: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 27 and 64. Furthermore, Olkin et al. teach wherein said step of validating said trust 
token comprises the step of: verifying that the user ED and a client identifier in the trust token 
match those presented by the client on the request (par. 112). 
As per claims 30 and 67: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 2 and 40. Furthermore, Olkin et al. teach wherein processing remaining requests 
according to at least a second policy comprises adding a configurable amount of incremental 
response latency when processing untrusted logins (par. 140). 
As per claims 3 1 and 68: 
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Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 30 and 67. Furthermore, Olkin et al. teach wherein untrusted logins include successful 
and unsuccessful logins from entities not bearing a trust token (par. 1 12). 
As per claims 35 and 72: 

Olkin et al. teach the method/computer program product on a computer readable medium 
of claims 1 and 39. Furthermore, Olkin et al. teach wherein said policies are applied by a server 
(par. 115). 

Claim Rejections - 35 USC § 103 

VI. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

VII. Claims 9 and 46 are rejected under 35 U.S.C. 103(a) as being unpatentable over Olkin et 
al, US Pub. No., 2003/0046533 as applied to claims 8 and 45 above, and further in view of 
Morkel, US Patent No. 2002/0052921. 

As per claims 9 and 46: 

Olkin et al. substantially teach the method/computer program product on a computer 
readable medium of claims 8 and 45. Not explicitly disclosed is wherein said derivative 
comprises a cryptographic hash of the user ID. However, Morkel teaches that in order to 
maintain a secure id, it is hashed before being stored. Therefore, it would have been obvious to a 
person in the art at the time the invention was made to modify the method disclosed in Morkel to 



Application/Control Number: 10/759,596 Page 11 

Art Unit: 2137 

hash the user ID in order to maintain security. This modification would have been obvious 
because a person having ordinary skill in the art, at the time the invention was made, would have 
been motivated to do so since Morkel suggests that using a hash of the user's id secures the id 
from being compromised in par. 7. 

VIII. Claims 10, 29, 37, 47, 66, 74-76, 78-87, and 93 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over Olkin et al., US Pub. No., 2003/0046533 as applied to claims 6, 8, 28, 
44-45, and 65 above, and further in view of Pallante, US Pub. No. 2003/0028495. 
As per claims 10 and 47: 

Olkin et al. substantially teach the method/computer program product on a computer 
readable medium of claims 8 and 45. Not explicitly disclosed is wherein said data object further 
includes any of: a time stamp of first authentication to said network service by said entity; and a 
time stamp of a most recent authentication to said network service by said entity. However, 
Pallante teaches that logs are kept with timestamps of when users were authenticated in order to 
access documents. Therefore, it would have been obvious to a person in the art at the time the 
invention was made to modify the method disclosed in Olkin et al. to maintain a time stamp for a 
first and most recent authentication when the entity accesses the system. This modification 
would have been obvious because a person having ordinary skill in the art, at the time the 
invention was made, would have been motivated to do so since Pallante suggests that time- 
stamping and maintaining a log with the time-stamping information is important in non- 
repudiation proofs in par 154. 
As per claims 29 and 66: 
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Olkin et al. substantially teach the method/computer program product on a computer 
readable medium of claims 28 and 65. Not explicitly disclosed is wherein said step of validating 
said trust token further comprises any of the steps of: verifying that a time stamp of a first 
authentication by the entity recorded in the trust token is no earlier than a configurable earliest 
acceptable first-authentication time stamp; and verifying that a time stamp of a last 
authentication by the entity recorded in the trust token is no earlier than a configurable earliest 
acceptable last-authentication time stamp. However, Pallante teaches wherein the token is a 
certificate which holds a validity period of when the entity can gain access to the system. 
Therefore, it would have been obvious to a person in the art at the time the invention was made 
to modify the method disclosed in Olkin et al. to enhance the security of the system by using a 
certificate instead of a password as the trust token and to allow access based on the validity 
period as defined by the certificate. This modification would have been obvious because a 
person having ordinary skill in the art, at the time the invention was made, would have been 
motivated to do so since Pallante suggests that using a certificate and abiding by the validity 
periods in important to ensure that entities do not gain access unless they are allowed based on 
their privileges in par. 99. 
As per claims 37 and 74: 

Olkin et al. substantially teach the method/computer program product on a computer 
readable medium of claims 6 and 44. Not explicitly disclosed is further comprising the step of: 
updating said trust token after a login by a trusted entity. However, Pallante teaches that the 
trusted token may be a certificate in order to increase security, as well as renewing certificates 
when appropriate. Therefore, it would have been obvious to a person in the art at the time the 
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invention was made to modify the method disclosed in Olkin et al. to use a certificate as the trust 
token and to renew it when necessary. This modification would have been obvious because a 
person having ordinary skill in the art, at the time the invention was made, would have been 
motivated to do so since Pallante suggests that renewing a certificate will further ensure that 
appropriate entities gain access to resources for the full duration of the amount of time they are 
entitled to do so in par. 5 1 . 
As per claim 75: 

Olkin et al. teach a method of establishing an entity requesting a network service as 
trusted, comprising the steps of: for each successful authentication, adding or updating a 
database record containing at least a user identifier, an originating network address (par. 79); 
comparing all subsequent authentication requests to said record; and where the user identifier of 
a subsequent request matches that of a successful authentication, extending trust to the 
subsequent request if its originating network address satisfy predetermined criteria in relation to 
said record (par. 45 and 51). 

Not explicitly disclosed are a date/timestamp of first and/or the current successful 
authentication and wherein the timestamp information satisfies predetermined criteria in relation 
to said record. However, Pallante teaches that a timestamp is used in order to increase the 
system's integrity and indicate normalcy when the timestamps fall within some predetermined 
criteria. Therefore, it would have been obvious to a person in the art at the time the invention was 
made to modify the method disclosed in Olkin et al. to maintain a time stamp for a first and most 
recent authentication when the entity accesses the system and to test the timestamp information 
against previous time-stamping information in regards to the stored record. This modification 
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would have been obvious because a person having ordinary skill in the art, at the time the 
invention was made, would have been motivated to do so since Pallante suggests that time- 
stamping and maintaining a log with the time-stamping information where the current time is 
compared with the stored record is important in non-repudiation proofs and in maintaining the 
integrity of the user database in par, 61 . 
As per claim 76: 

Olkin et al. and Pallante substantially teach the method of claim 75. Furthermore, Olkin 
et al. teach wherein said step of adding or updating a database record comprises either of the 
steps of: creating a new record by said network service if an entity has not previously 
authenticated to said network service (par. 46); and updating a previously created record for 
subsequent authentication requests from said entity (par. 47). 
As per claim 78: 

Olkin et al. and Pallante substantially teach the method of claim 75. Furthermore, 
Pallante teaches wherein the step of extending trust to the subsequent request comprises: 
extending trust if the user identification and originating network address match those of the 
record exactly, and wherein the data/timestamps from the record satisfy configurable bounds 
checks (par. 156). 
As per claim 79: 

Olkin et al. and Pallante substantially teach the method of claim 75. Furthermore, 
Pallante teaches wherein the step of extending trust to the subsequent request comprises: when 
the user identifier of the subsequent request matches that of a record, determining a trusted 
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address range for the user identifier from stored authentication records (par. 79). 
As per claim 80: 

Olkin et al. and Pallante substantially teach the method of claim 79. Furthermore, Olkin 
et al. teach wherein the step of extending trust to the subsequent request further comprises: if the 
originating address of the subsequent request falls within the trusted address range (par. 79), and 
Pallante teaches determining if the data/timestamps for the trusted address range satisfy 
configurable bounds checks (par. 156). 
As per claim 8 1 : 

Olkin et al. and Pallante substantially teach the method of claim 79. Furthermore, 
Pallante teaches wherein the step of determining if the data/timestamps for the trusted address 
range satisfy configurable bounds checks comprises the steps of: establishing earliest 
date/timestamp for the trusted address range as a minimum for the earliest authentication 
timestamp; and establishing earliest date/timestamp for the trusted address range as a maximum 
for the earliest authentication timestamp (par 156). 
As per claim 82: 

Olkin et al. and Pallante substantially teach the method of claim 79. Furthermore, 
Pallante teaches wherein the step of extending trust to the subsequent request further comprises: 
if the timestamps pass configurable bounds checks, extending trust to the request (par. 156). 
As per claim 83: 

Olkin et al. and Pallante substantially teach the method of claim 75. Furthermore, Olkin 
et al. teach wherein the entity comprises a user requesting the network service from an 
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anonymous client (par. 46). 
As per claim 84: 

Olkin et al. and Pallante substantially teach the method of claim 83. Furthermore, Olkin 
et al. teach wherein the network service comprises a server (par. 1 10). 
As per claim 85: 

Olkin et al. and Pallante substantially teach the method of claim 84. Furthermore, Olkin 
et al. teach wherein the client and the server are in communication via a secured network channel 
(par. 103). 
As per claim 86: 

Olkin et al. and Pallante substantially teach the method of claim 85. Furthermore, Olkin 
et al. teach said secure channel comprising a network connection secured via the SSL (secure 
sockets layer) protocol (par. 103). 
As per claim 87: 

Olkin et al. and Pallante substantially teach the method of claim 75. Furthermore, Olkin 
et al. teach further comprising the steps of: processing requests from trusted entities according to 
a first policy (par. 46, lines 1-4; and processing remaining requests according to at least a second 
policy (par. 46, lines 4-6). 
As per claim 93: 

Olkin et al. and Pallante substantially teach the method of claim 87. Furthermore, Olkin 
et al. teach wherein said policies are applied by a server (par. 110). 
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IX. Claims 32-33, 36, 69-70, and 73 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Olkin et al., US Pub. No., 2003/0046533 as applied to claims 8 and 45 above, 
and further in view of Roux et al., US Pub. No. 2002/0042883. 
As per claim 32: 

Olkin et al. substantially teach the method of claim 3 1 . Not explicitly disclosed is 
wherein response latency is added to a configurable percentage of successful untrusted logins. 
However, Roux et al. teach that if a response is not received within a valid time period, the user 
is deemed untrustworthy. Therefore, it would have been obvious to a person in the art at the time 
the invention was made to modify the method disclosed in Olkin et al. to add a response latency 
to untrusted logins to determine whether or not certain user profiles should not be trusted. This 
modification would have been obvious because a person having ordinary skill in the art, at the 
time the invention was made, would have been motivated to do so since Roux et al. suggest that 
a response should be received within a valid period of time in order to further determine whether 
or not a certain user is trustworthy in par. 47. 
As per claims 33 and 70: 

Olkin et al. substantially teach the method/computer program product on a computer 
readable medium of claims 2 and 40. Not explicitly disclosed is wherein processing remaining 
requests according to at least a second policy comprises adding a configurable amount of 
incremental response latency when processing requests from untrusted EP addresses that have 
exceeded a configurable login rate. However, Roux et al. teach that if a response is not received 
within a valid time period, the user is deemed untrustworthy. Therefore, it would have been 
obvious to a person in the art at the time the invention was made to modify the method disclosed 
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in Olkin et al. to add a response latency to untrusted logins to determine whether or not certain 
user profiles should not be trusted. This modification would have been obvious because a person 
having ordinary skill in the art, at the time the invention was made, would have been motivated 
to do so since Roux et al. suggest that a response should be received within a valid period of time 
in order to further determine whether or not a certain user is trustworthy in par. 47. 
As per claims 36 and 73: 

Olkin et al. substantially teach the method/computer program product on a computer 
readable medium of claims 35 and 39. Not explicitly disclosed is wherein said server applies 
rate policies for a plurality of network devices. However, Roux et al. teach that if a response is 
not received within a predetermined time period, the user is deemed untrustworthy and the 
communication is discarded. Therefore, it would have been obvious to a person in the art at the 
time the invention was made to modify the method disclosed in Olkin et al. for the server to 
apply a rate policy for the network devices. This modification would have been obvious because 
a person having ordinary skill in the art, at the time the invention was made, would have been 
motivated to do so since Roux et al. suggest that a response should be received within a valid 
period of time in order to further determine whether or not a certain user is trustworthy in par. 
37. 

As per claim 69: 

Olkin et al. substantially teach the computer program product on a computer readable 
medium of claim 68. Not explicitly disclosed is wherein response latency is added to a 
configurable percentage of successful logins. However, Roux et al. teach that if a response is not 
received within a valid time period, the user is deemed untrustworthy. Therefore, it would have 
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been obvious to a person in the art at the time the invention was made to modify the method 
disclosed in Olkin et al. to add a response latency to untrusted logins to determine whether or not 
certain user profiles should not be trusted. This modification would have been obvious because a 
person having ordinary skill in the art, at the time the invention was made, would have been 
motivated to do so since Roux et al. suggest that a response should be received within a valid 
period of time in order to further determine whether or not a certain user is trustworthy in par. 
47. 

X. Claims 34 and 71 are rejected under 35 U.S.C. 103(a) as being unpatentable over Olkin et 
al., US Pub. No., 2003/0046533 as applied to claims 2 and 40 above, and further in view of Card, 
US Pub. No. 2002/0073339. 
As per claims 34 and 71 : 

Olkin et al. substantially teach the method/computer program product on a computer 
readable medium of claims 2 and 40. Not explicitly disclosed is wherein processing remaining 
requests according to at least a second policy comprises requiring an untrusted entity to complete 
a Turing test. However, Card teaches that questioning the user based on information that only the 
user would know allows for stronger authentication. Therefore, it would have been obvious to a 
person in the art at the time the invention was made to modify the method disclosed in Olkin et 
al. (as modified with Pallante) to subject an untrusted entity to complete a Turing test in order to 
determine whether or not that user is a valid user or if the user should remain untrusted. This 
modification would have been obvious because a person having ordinary skill in the art, at the 
time the invention was made, would have been motivated to do so since Card suggests that 
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requiring the user to answer a security question, which is known only to that user, in order to 
establish whether or not he/she should be trusted allows for stronger authentication in par. 43. 
XI. Claims 77, 88-91 and 94 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Olkin et al., US Pub. No., 2003/0046533 and Pallante, US Pub. No. 2003/0028495 as applied to 
claims 75 and 87 above, and further in view of Roux et al., US Pub. No. 2002/0042883. 
As per claim 77: 

Olkin et al. and Pallante substantially teach the method of claim 75. Not explicitly 
disclosed is wherein a network address comprises an IP (internet protocol) address. However, 
Roux et al. teach that if the IP address is authenticated, it adds a stronger means of authentication 
when used in combination with other factors. Therefore, it would have been obvious to a person 
in the art at the time the invention was made to modify the method disclosed in Olkin et al. (as 
modified with Pallante) for the network address to also include an IP address. This modification 
would have been obvious because a person having ordinary skill in the art, at the time the 
invention was made, would have been motivated to do so since Roux et al. suggest that using an 
IP address adds a stronger means of authentication when used in combination with other user 
information in par. 47. 
As per claim 88: 

Olkin et al. and Pallante substantially teach the method of claim 87. Not explicitly 
disclosed is wherein processing remaining requests according to at least a second policy 
comprises adding a configurable amount of incremental response latency when processing 
untrusted logins. However, Roux et al. teach that if a response is not received within a valid time 
period, the user is deemed untrustworthy. Therefore, it would have been obvious to a person in 
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the art at the time the invention was made to modify the method disclosed in Olkin et al. (as 
modified with Pallante) to add a response latency to untrusted logins to determine whether or not 
certain user profiles should not be trusted. This modification would have been obvious because a 
person having ordinary skill in the art, at the time the invention was made, would have been 
motivated to do so since Roux et al. suggest that a response should be received within a valid 
period of time in order to further determine whether or not a certain user is trustworthy in par. 
47. 

As per claim 89: 

Olkin et al, Pallante, and Roux et al. substantially teach the method of claim 88. 
Furthermore, Roux et al. teach wherein untrusted logins include successful and unsuccessful 
logins from untrusted entities (par. 47), 
As per claim 90: 

Olkin et al., Pallante, and Roux et al. substantially teach the method of claim 89. 
Furthermore, Roux et al. teach wherein response latency is added to a configurable percentage of 
successful untrusted logins (par.47). 
As per claim 91: 

Olkin et al. and Pallante substantially teach the method of claim 87. Not explicitly 
disclosed is wherein processing remaining requests according to at least a second policy 
comprises adding a configurable amount of incremental response latency when processing 
requests from IP addresses that have exceeded a configurable login rate. However, Roux et al. 
teach that if a response is not received within a valid time period, the user is deemed 
untrustworthy. Therefore, it would have been obvious to a person in the art at the time the 
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invention was made to modify the method disclosed in Olkin et al. (as modified with Pallante) to 
add a response latency to untrusted logins to determine whether or not certain user profiles 
should not be trusted. This modification would have been obvious because a person having 
ordinary skill in the art, at the time the invention was made, would have been motivated to do so 
since Roux et al. suggest that a response should be received within a valid period of time in order 
to further determine whether or not a certain user is trustworthy in par. 47. 
As per claim 94: 

Olkin et al., Pallante, and Roux et al. substantially teach the method of claim 91. Not 
explicitly disclosed is wherein said server applies rate policies for a plurality of network devices. 
However, Roux et al. teach that if a response is not received within a predetermined time period, 
the user is deemed untrustworthy and the communication is discarded. Therefore, it would have 
been obvious to a person in the art at the time the invention was made to modify the method 
disclosed in Olkin et al. (as modified with Pallante and Roux et al.) for the server to apply a rate 
policy for the network devices. This modification would have been obvious because a person 
having ordinary skill in the art, at the time the invention was made, would have been motivated 
to do so since Roux et al. suggest that a response should be received within a valid period of time 
in order to further determine whether or not a certain user is trustworthy in par. 37. 
XII. Claim 92 is rejected under 35 U.S.C. 103(a) as being unpatentable over Olkin et al., US 
Pub. No., 2003/0046533 and Pallante, US Pub. No. 2003/0028495 as applied to claim 87 above, 
and further in view of Card, US Pub. No. 2002/0073339. 
As per claim 92: 
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Olkin et al. and Pallante substantially teach the method of claim 87, wherein processing 
remaining requests according to at least a second policy comprises requiring an untrusted entity 
to complete a Turing test. However, Card teaches that questioning the user based on information 
that only the user would know allows for stronger authentication. Therefore, it would have been 
obvious to a person in the art at the time the invention was made to modify the method disclosed 
in Olkin et al. (as modified with Pallante) to .subject an untrusted entity to complete a Turing test 
in order to determine whether or not that user is a valid user or if the user should remain 
untrusted. This modification would have been obvious because a person having ordinary skill in 
the art, at the time the invention was made, would have been motivated to do so since Card 
suggests that requiring the user to answer a security question, which is known only to that user, 
in order to establish whether or not he/she should be trusted allows for stronger authentication in 
par. 43. 
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Conclusion 



Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Nadia Khoshnoodi whose telephone number is (571) 272-3825. 
The examiner can normally be reached on M-F: 8:00-4:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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